Overview

overview

10

Static

static

8

SecuriteIn...35.exe

windows7_x64

10

SecuriteIn...35.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25-12-2020 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe

  • Size

    662KB

  • MD5

    b9e0e5a33a7a99acc1a45f959d7f0516

  • SHA1

    771c6f695993c1599383f396d2fc25a5b9dbdeb2

  • SHA256

    57e0906e3b6e13fe8db13cc06ce37d957bfc045afa6e99e9cf8b893ceb57d018

  • SHA512

    a1a26b98c3fdcd107a804e936d92f96f63d8c555552fd150de9e7cb0b42c71ad62efa33a3c3a8d2ec0c6a425df211f4afb8882f62e80644b78c6e3a4d7cc9134

Score
10/10
cryptbotdanabot3bankerdiscoveryevasionspywarestealertrojanupx

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

108.62.118.103:443

104.144.64.163:443

192.241.101.68:443

108.62.141.152:443
Attributes
  • embedded_hash

    49574F66CD0103BBD725C08A9805C2BE

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:60
    • C:\Users\Admin\AppData\Local\Temp\File19.exe
      "C:\Users\Admin\AppData\Local\Temp\File19.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
        "C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Drops startup file
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3432
        • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
          "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          PID:1892
      • C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
        "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1256
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\amtwfcuyrtrkc & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:2416
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\amtwfcuyrtrkc & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:660
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:2216
      • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
        "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Users\Admin\AppData\Local\Temp\gohgeatmcoth.exe
          "C:\Users\Admin\AppData\Local\Temp\gohgeatmcoth.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1196
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\GOHGEA~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\GOHGEA~1.EXE
            5⤵
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:504
            • C:\Windows\SysWOW64\RUNDLL32.EXE
              C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\GOHGEA~1.DLL,YEAgfI1V
              6⤵
              • Blocklisted process makes network request
              • Loads dropped DLL
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:3800
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpDE30.tmp.ps1"
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3768
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFFB5.tmp.ps1"
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3204
                • C:\Windows\SysWOW64\nslookup.exe
                  "C:\Windows\system32\nslookup.exe" -type=any localhost
                  8⤵
                    PID:3324
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
                  7⤵
                    PID:648
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
                    7⤵
                      PID:192
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vxkxegmotbf.vbs"
                4⤵
                  PID:4088
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wojrojg.vbs"
                  4⤵
                  • Blocklisted process makes network request
                  • Modifies system certificate store
                  PID:3360
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\8dAjrNrT & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:480
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                3⤵
                • Delays execution with timeout.exe
                PID:3244

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/60-3-0x00000000054D0000-0x00000000054D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/60-2-0x00000000053E1000-0x00000000053E2000-memory.dmp

            Filesize

            4KB

            Download

          • memory/504-54-0x0000000004D50000-0x00000000053AF000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/1196-41-0x0000000005B50000-0x0000000005B51000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1256-25-0x0000000004690000-0x0000000004691000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1256-28-0x0000000004E90000-0x0000000004E91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1892-35-0x0000000004E30000-0x0000000004E31000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1892-34-0x0000000004630000-0x0000000004631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2148-29-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2148-26-0x00000000045E0000-0x00000000045E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3204-90-0x0000000008150000-0x0000000008151000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3204-88-0x0000000007750000-0x0000000007751000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3204-81-0x0000000070B90000-0x000000007127E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3432-27-0x0000000004870000-0x0000000004871000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3432-30-0x0000000005070000-0x0000000005071000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-61-0x0000000070E60000-0x000000007154E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3768-70-0x0000000008900000-0x0000000008901000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-74-0x0000000008A10000-0x0000000008A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-75-0x000000000A0D0000-0x000000000A0D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-76-0x0000000009650000-0x0000000009651000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-77-0x0000000007470000-0x0000000007471000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-69-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-68-0x00000000084E0000-0x00000000084E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-67-0x0000000008190000-0x0000000008191000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-66-0x0000000008120000-0x0000000008121000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-65-0x0000000007F40000-0x0000000007F41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-64-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-63-0x0000000007840000-0x0000000007841000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3768-62-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3800-59-0x0000000004890000-0x0000000004EEF000-memory.dmp

            Filesize

            6.4MB

            Download